actionpack 5.2.4.3 → 5.2.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 96e28e2da73fb0ace4e8c62221ba405c625b91a1a5a66c691862543b557fb193
-  data.tar.gz: 0eb0326558ad0f1e88d21cff30e29d24a3dbee244140d1099aca3d9fb2610d3c
+  metadata.gz: 63b72a20df1a2ed50dd3c7bc20791c4979eb1a886770734721d7ffca4d9a4cfb
+  data.tar.gz: f9c384ee114ec9e287a157fb5150cdcf86c79256cfaec9611edccc2ba18b7ff2
 SHA512:
-  metadata.gz: b29c5f753ceebd2fea0b9ef51563c3b728fafb0d45d9cba7dc6ed16507557d986114a323071c6fa4ad81c0e10534483dd9e374039c1d9827ccedc010c7ac528c
-  data.tar.gz: eac84dbeb5610ea6327a32268820fcf214ad84fb943fd3f98f4b4b905287afe22e33993e075081bf7cc9fd534eb8d7fef100e938ae5d75dabe977e778852b329
+  metadata.gz: f33d0e9bb9cfb6a2ede9b0d11fad30752d92c3f81d07efd249cd7621b39430d0b5464e58f244d9cdbfce41e511d8dcc89f8539ee34218b369c6d0660b9d56340
+  data.tar.gz: c964bc901dc5baf4fa6f049005f8a6d164bd705c3c958614c13ec1f3b8cb30a31d12ca10577f72fc3cdf446bfa9b05d95bd186da6b2815426b464ece0dc596ab

data/CHANGELOG.md

@@ -1,3 +1,64 @@
+## Rails 5.2.6 (May 05, 2021) ##
+
+*   Accept base64_urlsafe CSRF tokens to make forward compatible.
+
+    Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
+    them difficult to deal with. For example, the common practice of sending
+    the CSRF token to a browser in a client-readable cookie does not work properly
+    out of the box: the value has to be url-encoded and decoded to survive transport.
+
+    In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
+    safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
+    tokens for backwards compatibility.
+
+    How the tokes are encoded is controllr by the `action_controller.urlsafe_csrf_tokens`
+    config.
+
+    In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.
+
+    **Atention**: If you already upgraded your application to 5.2.5, set the config
+    `urlsafe_csrf_tokens` to `true`, otherwise your form submission will start to fail
+    during the deploy of this new version.
+
+    ```ruby
+    Rails.application.config.action_controller.urlsafe_csrf_tokens = true
+    ```
+
+    If you are upgrading from 5.2.4.x, you don't need to change this configuration.
+
+    *Scott Blum*, *Étienne Barrié*
+
+
+## Rails 5.2.5 (March 26, 2021) ##
+
+*   No changes.
+
+
+## Rails 5.2.4.6 (May 05, 2021) ##
+
+*   Prevent regex DoS in HTTP token authentication
+    CVE-2021-22904
+
+*   Prevent string polymorphic route arguments.
+
+    `url_for` supports building polymorphic URLs via an array
+    of arguments (usually symbols and records). If a developer passes a
+    user input array, strings can result in unwanted route helper calls.
+
+    CVE-2021-22885
+
+    *Gannon McGibbon*
+
+## Rails 5.2.4.5 (February 10, 2021) ##
+
+*   No changes.
+
+
+## Rails 5.2.4.4 (September 09, 2020) ##
+
+*   No changes.
+
+
 ## Rails 5.2.4.3 (May 18, 2020) ##
 
 *   [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
@@ -5,6 +66,11 @@
 *   [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
 
 
+## Rails 5.2.4.2 (March 19, 2020) ##
+
+*   No changes.
+
+
 ## Rails 5.2.4.1 (December 18, 2019) ##
 
 *   Fix possible information leak / session hijacking vulnerability.
@@ -12,6 +78,11 @@
     The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
     gem dalli to be updated as well.
 
+    _Breaking changes:_
+    *   `session.id` now returns an instance of `Rack::Session::SessionId` and not a String (use `session.id.public_id` to restore the old behaviour, see #38063)
+    *   Accessing the session id using `session[:session_id]`/`session['session_id']` no longer works with
+        ruby 2.2 (see https://github.com/rails/rails/commit/2a52a38cb51b65d71cf91fc960777213cf96f962#commitcomment-37929811)
+
     CVE-2019-16782.
 
 

data/lib/action_controller/metal/http_authentication.rb

@@ -406,7 +406,7 @@ module ActionController
     module Token
       TOKEN_KEY = "token="
       TOKEN_REGEX = /^(Token|Bearer)\s+/
-      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
+      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
       extend self
 
       module ControllerMethods

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -92,6 +92,10 @@ module ActionController #:nodoc:
       config_accessor :default_protect_from_forgery
       self.default_protect_from_forgery = false
 
+      # Controls whether URL-safe CSRF tokens are generated.
+      config_accessor :urlsafe_csrf_tokens, instance_writer: false
+      self.urlsafe_csrf_tokens = false
+
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?
     end
@@ -321,11 +325,6 @@ module ActionController #:nodoc:
           global_csrf_token(session)
         end
 
-        one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
-        encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
-        masked_token = one_time_pad + encrypted_csrf_token
-        Base64.urlsafe_encode64(masked_token, padding: false)
-
         mask_token(raw_token)
       end
 
@@ -338,7 +337,7 @@ module ActionController #:nodoc:
         end
 
         begin
-          masked_token = Base64.strict_decode64(encoded_masked_token)
+          masked_token = decode_csrf_token(encoded_masked_token)
         rescue ArgumentError # encoded_masked_token is invalid Base64
           return false
         end
@@ -376,7 +375,7 @@ module ActionController #:nodoc:
         one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
         encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
         masked_token = one_time_pad + encrypted_csrf_token
-        Base64.strict_encode64(masked_token)
+        encode_csrf_token(masked_token)
       end
 
       def compare_with_real_token(token, session) # :doc:
@@ -402,8 +401,8 @@ module ActionController #:nodoc:
       end
 
       def real_csrf_token(session) # :doc:
-        session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
-        Base64.strict_decode64(session[:_csrf_token])
+        session[:_csrf_token] ||= generate_csrf_token
+        decode_csrf_token(session[:_csrf_token])
       end
 
       def per_form_csrf_token(session, action_path, method) # :doc:
@@ -466,5 +465,57 @@ module ActionController #:nodoc:
         uri = URI.parse(action_path)
         uri.path.chomp("/")
       end
+
+      def generate_csrf_token # :nodoc:
+        if urlsafe_csrf_tokens
+          SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH, padding: false)
+        else
+          SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
+        end
+      end
+
+      if RUBY_VERSION.start_with?("2.2")
+        # Backported https://github.com/ruby/ruby/commit/6b6680945ed3274cddbc34fdfd410d74081a3e94
+        using Module.new {
+          refine Base64.singleton_class do
+            def urlsafe_encode64(bin, padding: true)
+              str = strict_encode64(bin).tr("+/", "-_")
+              str = str.delete("=") unless padding
+              str
+            end
+
+            def urlsafe_decode64(str)
+              # NOTE: RFC 4648 does say nothing about unpadded input, but says that
+              # "the excess pad characters MAY also be ignored", so it is inferred that
+              # unpadded input is also acceptable.
+              str = str.tr("-_", "+/")
+              if !str.end_with?("=") && str.length % 4 != 0
+                str = str.ljust((str.length + 3) & ~3, "=")
+              end
+              strict_decode64(str)
+            end
+          end
+        }
+      end
+
+      def encode_csrf_token(csrf_token) # :nodoc:
+        if urlsafe_csrf_tokens
+          Base64.urlsafe_encode64(csrf_token, padding: false)
+        else
+          Base64.strict_encode64(csrf_token)
+        end
+      end
+
+      def decode_csrf_token(encoded_csrf_token) # :nodoc:
+        if urlsafe_csrf_tokens
+          Base64.urlsafe_decode64(encoded_csrf_token)
+        else
+          begin
+            Base64.strict_decode64(encoded_csrf_token)
+          rescue ArgumentError
+            Base64.urlsafe_decode64(encoded_csrf_token)
+          end
+        end
+      end
   end
 end

data/lib/action_controller/test_case.rb

@@ -177,12 +177,12 @@ module ActionController
 
   # Methods #destroy and #load! are overridden to avoid calling methods on the
   # @store object, which does not exist for the TestSession class.
-  class TestSession < Rack::Session::Abstract::SessionHash #:nodoc:
+  class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash #:nodoc:
     DEFAULT_OPTIONS = Rack::Session::Abstract::Persisted::DEFAULT_OPTIONS
 
     def initialize(session = {})
       super(nil, nil)
-      @id = SecureRandom.hex(16)
+      @id = Rack::Session::SessionId.new(SecureRandom.hex(16))
       @data = stringify_keys(session)
       @loaded = true
     end

data/lib/action_dispatch/request/session.rb

@@ -93,7 +93,7 @@ module ActionDispatch
         key = key.to_s
 
         if key == "session_id"
-          id&.public_id
+          id && id.public_id
         else
           @delegate[key]
         end

data/lib/action_dispatch/routing/polymorphic_routes.rb

@@ -288,10 +288,12 @@ module ActionDispatch
 
             args = []
 
-            route = record_list.map { |parent|
+            route = record_list.map do |parent|
               case parent
-              when Symbol, String
+              when Symbol
                 parent.to_s
+              when String
+                raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
               when Class
                 args << parent
                 parent.model_name.singular_route_key
@@ -299,12 +301,14 @@ module ActionDispatch
                 args << parent.to_model
                 parent.to_model.model_name.singular_route_key
               end
-            }
+            end
 
             route <<
             case record
-            when Symbol, String
+            when Symbol
               record.to_s
+            when String
+              raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
             when Class
               @key_strategy.call record.model_name
             else

data/lib/action_dispatch/testing/integration.rb

@@ -401,6 +401,7 @@ module ActionDispatch
           super
         end
       end
+      ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
     end
   end
 

data/lib/action_pack/gem_version.rb

@@ -9,8 +9,8 @@ module ActionPack
   module VERSION
     MAJOR = 5
     MINOR = 2
-    TINY  = 4
-    PRE   = "3"
+    TINY  = 6
+    PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 5.2.4.3
+  version: 5.2.6
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-18 00:00:00.000000000 Z
+date: 2021-05-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.3
+        version: 5.2.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.3
+        version: 5.2.6
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.3
+        version: 5.2.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.3
+        version: 5.2.6
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.3
+        version: 5.2.6
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.3
+        version: 5.2.6
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -299,8 +299,8 @@ homepage: http://rubyonrails.org
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/rails/rails/tree/v5.2.4.3/actionpack
-  changelog_uri: https://github.com/rails/rails/blob/v5.2.4.3/actionpack/CHANGELOG.md
+  source_code_uri: https://github.com/rails/rails/tree/v5.2.6/actionpack
+  changelog_uri: https://github.com/rails/rails/blob/v5.2.6/actionpack/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -317,7 +317,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.1.2
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).